Romanian duo arrested for running malware encryption service to bypass antivirus software

20 November 2020
Press Release
Press Release/News

This News/Press release is about Cybercrime

View all crime areas

Two Romanian suspects have been arrested yesterday for allegedly running the CyberSeal and Dataprotector crypting services to evade antivirus software detection. These services have been purchased by more than 1560 criminals and used for crypting several different type of malware, including Remote Access Trojans, information stealers and ransomware.

The pair also operated the Cyberscan service which allowed their clients to test their malware against antivirus tools.

This operation was led by the Romanian Police (Poliția Română) together with the United States Federal Bureau of Investigation (FBI), the Australian Federal Police (AFP), the Norwegian National Criminal Investigation Service (Kripos) and Europol. It was carried out in the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT). 

Results in brief

  • 2 administrators arrested in Romania
  • 4 house searches carried out in Bucharest and Craiova (Romania)
  • Backend infrastructure taken down in Romania, Norway and the United States.

How do criminals bypass antivirus software?

One common way for hackers to circumvent antivirus detection is through the use of crypters which encrypt or hide the underlying code in a piece of software, typically malware, to masquerade as something harmless until it gets installed on a victim’s computer.

The services provided by these two suspects fall under this category and have been offered for sale in the underground criminal market since 2010.

Their clients paid between US$40 to US$300 for these crypting services, depending on licence conditions. Their service activity was well structured and offered regular updates and customer support to the clients.

The criminals also offered a Counter Antivirus platform allowing criminals to test their malware samples against antivirus software until the malware becomes fully undetectable (FUD). The prices for this service varied between US$7 to US$40.

Europol operational support

The coordination efforts in this case were led by Europol’s European Cybercrime (EC3) which facilitated the exchange of information and provided forensic, malware and operational analysis in preparation for the action.

During the action day, a virtual command post was set up by Europol, allowing for the real-time exchange of information between all involved countries to adjust the operational strategy as required.

Headquartered in The Hague, the Netherlands, we support the 27 EU Member States in their fight against terrorism, cybercrime and other serious and organised forms of crime. We also work with many non-EU partner states and international organisations. From its various threat assessments to its intelligence-gathering and operational activities, Europol has the tools and resources it needs to do its part in making Europe safer.


In 2010 the European Union set up a four-year Policy Cycle to ensure greater continuity in the fight against serious international and organised crime.In 2017 the Council of the EU decided to continue the EU Policy Cycle for the 2018 - 2021 period. It aims to tackle the most significant threats posed by organised and serious international crime to the EU. This is achieved by improving and strengthening cooperation between the relevant services of EU Member States, institutions and agencies, as well as non-EU countries and organisations, including the private sector where relevant. Cybercrime is one of the priorities for the Policy Cycle.